In another notable case, the Office of Personnel Management
was hacked in an effort that ultimately exposed the personal information
of 21.5 million workers.

Who are these hackers. Some are backed by nation states and seek
to disrupt government and business operations. Others are criminals
interested in stealing personal information that can be sold. Then
there are cyber vandals who hack for the heck of it.

K-12 Cyber Risks

K-12 schools are at risk, too. Hackers literally shut down the Horry
County School District in South Carolina earlier this year. The criminals demanded $10,000 in digital Bitcoin, an Internet currency that is
difficult to trace. Horry County district officials didn’t want a standoff
that would shut down education in the district indefinitely; so, officials
decided to pay the ransom and get the schools back up and running.

In another case, a 17-year-old student hacked 15,000 student
records in the Sachem School District on Long Island and posted
personal information online. Experts say that hacking school records
is an epidemic problem that has no easy solutions.

Another pathway into a district’s computer systems lies with
vendors. Hackers sometimes manage to infect a vendor’s hardware
or software, and infect district files through an installation.

Are There Any Solutions?

“School hacking is a complex and moving target, and no district
should attempt to go it alone,” says Jim Flanagan, chief learning
services officer with the International Society for Technology and
Education (ISTE). “Small and large districts alike should find a partner
with expertise and insights into the problem and its solutions.”

Where can a district superintendent find a partner? Flanagan
recommends talking to officials at the district’s state education
agency, which can provide useful resources.

Flanagan also points to state ISTE affiliates and state Councils
on School Networking (COSNs). “COSN has great technical expertise
in this area,” Flanagan says.

“Additional resources to investigate are collaboratives. Almost
every district nationally is part of a collaborative. Some states
maintain collaboratives as local or statewide structures.

“There are lots of collaborative flavors. Some states, for instance,
have large counties and the schools there may be collaboratives
unto themselves.”

Flanagan suggests drawing vendors into collaborations as well and
points to two adjacent districts in Massachusetts. There, Chief Information
Officer Steve Smith of the Cambridge Public School District and
Mark Racine, director of Technology with Boston Public Schools, have
created an effective collaborative focused on preserving data security.

They have created a document that can be used as an addendum to a
vendor contract, Flanagan says. The document defines data privacy and
security requirements for vendors that contract with school districts.

With such a tool, individual districts need not start from
scratch, they can pick up this boilerplate language and add it to
their vendor contracts.

“Of course, the contract language states what is required of
vendors,” notes Flanagan. “But you also have to test vendors and
require them to prove that their software actually satisfies the
contractual requirements.

“Most vendors make a good safe effort, but all it takes is one app
that doesn’t meet the standards and your system may be breached.”

Flanagan goes on to say that districts that implement this system
can be sure that they are using the latest and greatest requirements.
He also notes that the contractual anti-hacking language is
constantly updated to account for new developments.

Student Data Privacy Consortium

Flanagan also recommends investigating the Student Data Privacy Consortium (SDPC) set up and facilitated by Community (A4L) and
several learning organizations, governmental agencies and vendors.

The Consortium’s mission is to develop tangible solutions that help
solve operational privacy issues for schools as well as vendors — by
combining its own tactical, real world efforts with those of the various
organizations working to buttress student privacy.

“Districts that have put into practice the recommended procedures
to ensure student data privacy realize that this requires
a great deal of time and resources,” says Steve Smith, Cambridge
Public Schools CIO and Chair of the SDPC. “Not all schools have the
required resources to implement these procedures effectively.

“Many of these best practices can be replicated across LEAs (Local
Education Agencies) and vendors through agreed upon procedures,
contract terms and common expectations. The Student Data
Privacy Consortium is bringing together LEAs, SEAs and Vendors
to create a more seamless process for ensuring student data privacy
such that all districts can meet expected best practices.”

Another Tool: The Cloud

The cloud can help, too. “More districts need to look toward the
cloud,” Flanagan says. “In a cloud based service, you get software
from the cloud and store documents there. Your server is in the
cloud instead of in a district service room or data center.”

IT directors can acquire Software As A Service (SAAS) from
vendor servers in a cloud.

But won’t IT directors lose some control over their systems and
data by doing this? Is that a good idea?

“You can buy network space in the cloud and operate your own
system,” Flanagan says. “The cloud isn’t a panacea, but I would
rather have my data with an organization whose primary business
is securing and distributing data — versus my own data center.”

Train Administrators, Faculty and Students

For these measures to function effectively in securing data,
administrators, faculty and students must handle data in secure
ways. That requires training for everyone.

“There are great training resources available for K-12,” Flanagan
says. “Common Sense Media, for example, is a non-profit
organization with great programs.”

Common Sense Media offers training programs for students as
well as administrators and faculty.

Resources include lesson plans, videos, interactives and assessments
in units for grades K to 2, 3 to 5, 6 to 8 and 9 to 12. In
addition, there are professional learning materials, family outreach
tools and a turnkey curriculum.

The Common Sense Media website offers much more than student
privacy ideas. All in all, says the website, the offering is everything
needed “to take a whole-community approach to digital citizenship.

BEST DATA SECURITY PRACTICES, FROM SCHOOLMESSENGER®

West Corporation’s West
Education Group has developed
nine best practices that educators
can use to promote data security.

Here they are:

Legal compliance is the basis of
developing school norms and
culture.

Check the quality of your
current practices by comparing
them with current regulations
and norms.

Managing regulations and
norms and insisting on
accountability form the basis for
safeguarding student data.

Extend your efforts through
communications with parents.

Support parents in their data
access and awareness of related
rights and possible risks.

Student privacy requires data
security.

Schools should direct and
manage data access for thirdparty
vendors and partners.

Staff awareness and training
in data security is essential to
success.

Continuing student education
reinforces good practice.

This article originally appeared in the January 2017 issue of School Planning & Management.